SolarWinds attack threatens global government cyber-infrastructure

FireEye reported last week that several major government security vendors had been subjected to a fresh wave of attacks by nation-state actors. This breach managed to give threat actors access to certain government internal systems and to FireEye’s red team tools. FireEye reported that the attack took place in the form of trojanized updates to SolarWinds’ Orion IT monitoring and management software. However, SolarWinds maintains that less than 18,000 of its global clients were compromised.

In light of these disturbing revelations around the SolarWinds software, the Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01, calling on “all federal civilian agencies to review their networks for indicators of compromise and to disconnect or power down SolarWinds Orion products immediately.”

Both the American Department of Homeland Security (DHS) and the British National Cybersecurity Centre (NCSC) has said that they are aware of the breaches across the federal cyber infrastructure. Both are working intimately with the public and private sectors to come up with a suitable response to the threat.

FireEye has recommended that all organizations with SolarWinds Orion software installed immediately adjust their settings according to the company’s latest guidance protocol. They have further suggested that all SolarWinds instances be installed behind firewalls and that all internet access to these instances is revoked. Sam Curry, the chief security officer at Cybereason, commented: “In general, now is not the time for security experts to panic. A practical and measured response is advised.”

Read: https://www.infosecurity-magazine.com/news/dhs-cisa-ncsc-warnings/

Canadian critical infrastructure protection law Bill C-26 faces criticism from civil rights groups

Earlier this year, the Canadian federal government implemented its first-ever cyber security law. Bill C-26 amends the Telecommunications Act and introduces the Critical Cyber Systems Protection Act (CCSPA), which imposes data protection obligations on operators of critical infrastructure and facilitates threat information exchange.

Although reactions were positive at first, criticism has started to emerge from both civil rights groups and the business community.

The Canadian Civil Liberties Association, along with several other groups and academics, published a “Joint Letter of Concern Regarding Bill C-26” in late-September 2022. The CCSPA would enable the government to act without performing proportionality, privacy and equity assessments to protect against abuse, according to civil rights groups, and allow the Communications Security Establishment access to large amounts of sensitive data without being limited in how it uses such data to comply with its cyber security mandate.

However, the criticism doesn’t end there. The Business Council of Canada believes the CCSPA requires all operators to comply with the same regulations, without a risk-based approach, and without an information-sharing regime that would benefit all operators. Furthermore, the Council believes the proposed monetary penalties and prison terms are “overly high and unnecessary to encourage” operators to improve their cyber security posture.

The emerging stakeholder consensus appears to be that the bill contains many flaws, even though more groups are likely to comment on it in the future. As the bill goes through the Committee stage of its review, it will be interesting to see whether and how it emerges.

Read: https://gowlingwlg.com/en/insights-resources/articles/2022/bill-c-26-rights-groups-oppose-infrastructure-law/

A group of former Facebook employees took bribes to hijack user accounts

Over the last year, a total of two dozen Meta employees and contractors have been fired or disciplined for improperly hijacking user accounts, in some cases for bribes, says the Wall Street Journal. The news outlet reported that some of those fired worked for Meta as security guards and were given access to “Oops,” Facebook’s internal troubleshooting system for employees.

“Oops,” which stands for Online Operations, helps users if they either forget their passwords, lose their emails, or have had their accounts hacked. A user can recover their account by filing an “Oops” report, which includes a series of questions and whether the request is being made for someone on CEO Mark Zuckerberg’s team, a celebrity, or a Meta partner.

Typically, Oops is reserved for friends, family, business partners, and public figures who want to cut in line for assistance. However, because the mechanism is unavailable to a vast majority of Facebook users, a cottage industry of intermediaries has developed, charging users to regain control.

Meta’s spokesman, Andy Stone, said fraudulent individuals are always targeting online platforms and adapting their tactics to respond to detection methods commonly used throughout the industry and added that the company would continue to take “appropriate action against those involved in such schemes.“

Read: https://www.wsj.com/articles/meta-employees-security-guards-fired-for-hijacking-user-accounts-11668697213

Massachusetts Department of Public Health accused of installing ‘spyware’ called COVID-19 on 1 million devices

The Massachusetts Department of Public Health (DPH) is facing a class action lawsuit for allegedly working with Google to install “spyware” onto the Android devices of a million state residents without their knowledge during the COVID-19 pandemic.

“This ‘android attack,’ deliberately designed to override the constitutional and legal rights of citizens to be free from government intrusions upon their privacy without their consent, reads like dystopian science fiction—and must be swiftly invalidated by the court,” said Peggy Little, the Senior Litigation Counsel from the New Civil Liberties Alliance (NCLA), the nonpartisan civil rights group that filed the lawsuit.

The app, once automatically installed, didn’t appear on the device’s home screen as newly-installed apps typically do. Instead, it was invisible and could only be found by opening “settings” and using the “view all apps” feature, according to NCLA.

The NCLA has asked the federal court to block the installation of the Massachusetts DPH app on private devices and to declare that the state’s actions violate Fourth Amendment rights.

Read: https://www.zerohedge.com/political/lawsuit-claims-massachusetts-installed-covid-19-spyware-1-million-devices

Elsewhere Online:

Microsoft subsidiary GitHub Copilot facing landmark AI copyright lawsuit
Read: https://www.theverge.com/2022/11/8/23446821/microsoft-openai-github-copilot-class-action-lawsuit-ai-copyright-violation-training-data

Possible Chinese state sponsored threat actors behind recent surge of Microsoft Zero Day attacks
Read: https://www.securityweek.com/patch-tuesday-microsoft-scrambles-thwart-new-zero-day-attacks

Republican senators urge FTC not to take online privacy regulations on itself
Read: https://www.mediapost.com/publications/article/379534/gop-senators-urge-ftc-to-scrap-privacy-rulemaking.html

Metrics like ‘Cooperation’ and ‘Diligence’ are used by TikTok to score influencers
Read: https://gizmodo.com/tiktok-influencer-social-score-cooperation-diligence-1849763148

An FBI warrant is executed at the home of an Area 51-related website owner
Read: https://www.zerohedge.com/markets/fbi-conducts-no-knock-warrant-home-owner-website-devoted-area-51